Troubleshoot SPF issues

Protect against phishing & prevent messages from being marked as spam

Follow the steps in this article if you set up SPF but messages sent from your domains are still:

  • Failing SPF authentication
  • Rejected by receiving servers
  • Sent to recipients’ spam folders

Note: It can take up to 48 hours after adding an SPF record for SPF authentication to start working.

Basic troubleshooting for SPF

Many SPF issues can be identified and resolved by following the steps in this section.

Verify SPF is set up correctly

To verify your SPF record is set up correctly, review these setup steps:

  1. Check if you have an existing SPF record.
  2. Define your SPF record.
  3. Add your SPF record at your domain provider.
  4. Make sure your domain has only one SPF record.

Verify outgoing messages pass SPF authentication

Email message headers have the results of SPF authentication check. Check that messages sent from your domain pass SPF authentication.

Recommended steps:

  • Check the headers in a message sent from your domain to learn if messages are passing SPF.
  • In Gmail, click Show original for a message, then check the SPF status in the original message. Learn more about checking message headers in Gmail
  • Enter message headers into Google Admin Toolbox Messageheader tool and check the SPF status.

Verify that your SPF record includes all current email senders

If your SPF record doesn’t include all services or servers that send mail for your domain, receiving servers might send messages to spam.

Recommended steps:

Check message forwarding

Even if SPF is correctly set up for your domain, forwarded messages can fail SPF. This is usually because of the way the forwarding server forwards messages.

Recommended steps:

  • To verify the message was forwarded and get the original recipient address, get message details with Email Log Search. If the person reporting a message as spam isn’t the original recipient, it’s likely the message was forwarded.
  • Contact the third party that forwarded the message to find out if they can change how they forward messages.
  • Use the tools described in Advanced Troubleshooting to check for suspicious email activity. Sometimes spammers forward messages to impersonate domains or organizations.

Review your email sending practices

If your domain has a valid SPF record and messages are still sent to spam, the cause might be something other than SPF. 

Recommended steps:

Advanced troubleshooting for SPF

If basic troubleshooting steps did not identify the issue, try these advanced troubleshooting steps.

Get SPF authentication results in message headers

The headers of messages sent from your domain have information about SPF authentication. To get the full headers of messages sent from your domain, follow the steps in Trace an email with its full headers.

Find the part of the message header that starts with Authentication-Results, and note the text next to the entry spf. Depending on the information in this part of the header, take the recommended steps below.

Message header content Possible causes Recommended steps
No spf entry in Authentication-Results The message did not go through an SPF check. Your SPF record might not be set up correctly. Verify SPF is set up correctly.
The spf entry includes best guess record

Possible causes include:

  • SPF hasn’t been set up for your domain.
  • SPF isn’t set up correctly for your domain.
  • There’s an issue with the DNS at your domain provider.
The SPF result is neutral, softfail, or fail.

The SPF result is the text after spf=.

Possible causes include:

  • The message is from a legitimate sender but the IP address of that sender isn’t included in your SPF record.
  • The message was intentionally sent from an unverified IP address.
  • The message is from an unauthorized sender. In this case, the SPF results are correct. 
The SPF result is temperror or permerror

The SPF result is the text after spf=. 

Possible causes include:

  • The message is from a legitimate sender but the IP address of the sender isn’t included in your SPF record.
  • The message was intentionally sent from an unverified IP address.
  • The message is from an unauthorized sender. In this case, the SPF results are accurate.

 

Check the DNS lookups in your SPF record

SPF records support up to 10 lookups. So, your SPF TXT record can’t include more than 10 references to other domains. Each of these mechanisms in your SPF record results in a lookup: a, mx, include, ptr.

If your TXT record results in more than 10 lookups, messages from your domain won’t pass SPF and could be sent to spam.

What are DNS lookups? When a mail server checks incoming messages against your SPF record, the server might have to do a lookup. A lookup is the process of finding the IP addresses for a domain. When your SPF record authorizes domains to send mail for you, receiving servers check the IP address for the authorized domain. 

Recommended steps:

  • Check the number of lookups in your SPF record with the Check MX tool in the Google Admin Toolbox. 
  • Remove duplicate mechanisms, and mechanisms that refer to the same domain.
  • Be aware of nested lookups, which count toward the limit of 10. If your SPF record includes a domain, and that domain includes other domains in its SPF record, those other domains are counted toward your SPF record limit.
  • When using the include mechanism, keep in mind nested lookups might cause your SPF record to exceed 10 lookups.
  • When using the ip4 and ip6 mechanisms, keep in mind that SPF records have a 255 character string limit.
  • Only include domains that are actively sending email for you.
  • Remove any include mechanisms for third parties that no longer send mail for your domain.

Get detailed insights with Google Workspace reporting tools

To get detailed information about email delivery and authentication for your domain, try these Google Workspace reporting tools.

Tool Recommended steps

Email Log Search

To help you troubleshoot forwarding issues, get the original destination address for inbound and outbound messages with Email Log Search (ELS) . ELS includes the source IP address of incoming messages, so you can troubleshoot SPF authentication issues. ELS also shows if messages received by users in your domain are marked as spam.

Authentication report

Check which messages from your domain pass SPF, DKIM, and DMARC authentication checks with the Authentication report.

Postmaster Tools

If you regularly send large volumes of email, get details about messages sent by your domain with Postmaster Tools. This tool has information about delivery errors, spam reports, and feedback loops.

Security investigation tool

Get the authentication status of incoming messages, and identify incoming unauthenticated messages with the security investigation tool.

BigQuery and Gmail reports

Get the authentication status of incoming messages, detailed information about individual messages, and delivery statistics over time with BigQuery with Gmail reports.
Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Search
Clear search
Close search
Google apps
Main menu
Search Help Center
true
73010
false